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(57) Abstract 

A system (30) tracks ownership data for 
data resources coupled on a network. The system 
includes a data extractor (40) for extracting data 
resource communication activity data fcom a plu- 
rality of network activity data sources, a database 
(44) of organizational data resource ownership 
data, and a commurdcation activity report gener- 
ator (48) for correlating extracted data resource 
communication activity data and organizatiorud 
data resource ownership data so that ownership 
of commtinication activity may be tracked. The 
data extractor (40) obtairuF network activity data 
from a variety of data sources such as firewalls 
(20). routers (12). servers (16), and PBXs (24). 
Nciworic activity data about conununication ac- 
tivity may be obtained directly from data sources 
initiating the communication activity, such as PC 
(34) and telephones (38), or from data sources 
that handle communication activity initiated by a 
data resource. The network activity data are dien 
processed to extract data resource communication 
activity data. Organizational data resource own- 
ership data includes data for identifying the data 
resources from which conununication activity data 
are extracted and the organizational entities owning the data resources. Typically, these organizational entities include omipany data, di- 
vision data, department data and owner data. This data may then be linked to identic an owner as being associated with a particular 
department and division within a company. The communication activity report generator may be used to generate a response to a directory 
query or a history query. A response to a directory query identifies one or more data resources and die ownership data linked to tiiat device. 
A response to a history query identifies for a particular time period, one or more data resources, the networic activity initiated by those data 
resources and ownership data linked to those data resources. 
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This appKcation cUrims the benefit of U.S. Piovisional AppUcation Serial No. 60/102.825 which 
was filed on October 2, 1998. 



iiTF.1 .n OF T mr tovrntioN 

This invention relates to device usage reporting systems, and more particularly, to systems for 
reporting usage of devices coupled to a computer network. 

10 BACKGROUN T^ THE INVENTION 

A communication network for an organization is typicaUy comprised of network devices 
coupled together through a computer network and a PBX switch, telephones, and other voice devices 
coupled together in a telephone network. Network devices such as firewalls, proxy servers, and web 
servers, along with some voice devices such as PBXs genemte logs representing inbound and outbound 
15 computer and telephone network activity, respectively. Wiftin the organization, telephone system 
managers review voice device generated log reports regarding telephone usage and network 
administrators use network device generated log reports regarding computer network resource 
utilization. As a result, system managers and network administrators focus on only a portion of «^ 
organization's communication network without knowledge of all of the communication network issues 

20 that exist for an organization. 

In many organizations abuse and misuse of communication devices cause significant 
productivity loss. In addition, more mundane tasks such as traffic management, costs allocation, 
operating efficiency, and disaster avoidance are often overlooked by system mam«ers or network 
administrators as they handle the surge of issues and problems that arise daily. As communication 

25 technology continues to converge, the telephone system manager and network administrator fimctions 
also converge. TWs is particularly the case in organizations that use compute integrated telephony. 
Computer mtegrated telephony couples the telephone netwwk to the computer network within an 
organization to provide data files to desktop computers in conjunction wiA telephone calls arriving at 
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an associated handset or to permit the exchange of messages between voiccmail systems and email 

systems. 

m organizations where the network communication network and the telephone communication 
network aie separated, vigilance regarding the efficient utilization of the company's communication 
resources is difficult. For example, employees that abuse telephone privUeges, especially long distance 
seivices, are frequently the same employees who use Internet access to obtain files that are not work 
related. A computer network manager may become aware of abuse from a network activity monitoring 
system that tracks Internet access or other computer network activities associated with an employee's 
computer user identifier. However, die telephone network manager does not have data that correlates 
the user identifier to any devices on the telephone network. Thus, abusive activity on one network is 
not readily available for detecting abusive activity on the other network. If information regarding the 
usage of communication resources for an organization were more integrated, abusive activities on one 
communication network mi^t lead to the discovery of abuses on another communication network for 
the organization. 

When employees are transferred within an organization, an employee is frequently assigned a 
new telephone extension and a new computer. When this occurs, both the computer network manager 
and telephone system manager must separately update their respective records to identify the change in 
ownership of devices on a network. Such changes include the reassignmem of the employee's old 
telephone extension number and computer user identifier as well as the assignment of a new telephone 
extension and/or computer user identifier to the employee. The synchronization of these data changes 
in computer network, telephone network, and organizational data across several databases may result in 
erroneous aUocaticm of activity from a data device to an enq>loyee or oAer ownership entity. As a 
consequence, maintainmg synchronization of ownership rights to various communication resources 
within an organization is difficult and problematic. 

What is needed is a system and mediod for integrating data about data devices used on 
computer and tdephone networics of an organization. 

What is needed is a system and meOiod for more efficient tracking and synchronization of 
ownership rights with respect to communication devices aa both computer and telephone networks. 
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gtnu TVt AWV OF THF r TNVRNTION 

The limitations noted ^th respect to usage and tn«king of 

overcoinebyasystemandinethodinadeinaccordancewiththeim^^^ 1^ 
: system of the pteseitt invention includes a data extractor for extracting data resource communication 
5 activity data fiom a plurality of network activity data sources, a database of organizational data resource 
ownership data, and a communication activity report generator for correlating extracted data resource 
communication activity data and organizational data resource ownership data so that ownership of 
communication activity may be tracked. 

The data extractor of the present invention obtains network activity data fiom a variety of data 
10 sources. The data sources include network communication devices such as fircwaUs, routers and 
servers and telephone communication devices such as a PBX or other telephone comiection 
router/manager. Network activity data about communication activity may be obtained directly from the 
data resources initiating the communication activity or from data sources that handle communication 
activity initiated by a data resource. Methods for obtaining network activity data include interrogation 
15 of an application programming interfiice (API), capture of an output ffle for a data log generated by the 
communication device, or reception of a data stream provided by the communication device to some 
output port on the device. The network activity data are then processed to extract data resource 
communication activity data. Data resource communication activity data includes communication 
activity identification data and data resource identification data. This data are prefiaably stored in a 
20 database for later correlation with data resource ownership data although the extraction and correlation 
may be performed without intennediate storage of the data resource communication activity data. 

Preferably, the data extractor has two modes of operation, namely, a test mode and an 
operational mode. In test mode, the data exUactor does not store data resource communication activity 
data but raflier displays the extracted data. This mode permits a system administrator to view the 
25 extracted data for a new data source and define a data source template that may later be used to extract 
data from the network activity data and genaate flie data resource communication activity data. Once a 
system administrator confirms Ae ^finition of the data source template for a data source, the data 
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extractor my be placed in its operational mode for extracting data from data sources for which data 

templates have been defined. 

Organizational data resource ownership data includes data for identifying the data resources 
from which communication activity data are extracted and the organizational entities owning the data 
5 resources. T^ically. these organizational entities include company data, division data, depa^ 
data, and employee data. This data may then be linked to identify an employee as being associated with 
a particular department and division within a company. These entities for an organization arc merely 
exemplary and ofter components of organizational structure may be used. This data contain sufficient 
information to identify every data resource within an organization and the person associatad with 
10 operation and utihzation of that resource. In a preferred embodiment of the present invention, the 
relationship between corporate entities and data resources are implemented with join tables in a 
reUtional database, although other types of data repositories and data linking may be used. 

n»e communication activify report generator may be used to generate a response to a directory 
query, a history query or both. A response to a directory query identifies one or more data resources 
15 and the ownership data linked to that device. A response to a history query identifies for a particular 
time period, one or more data resources, the network activity initiated by Aose data resources and 
ownership data linked to those data resources. To faciUtate generation of query responses, the 
organizational data resource ownership data includes history data that identifies time periods during 
which an owner is associated with either a data resource or a particular organizational structure. That is, 
20 the history data may identify the transfer of an owner within Ac organization or the reassignment, 
additional assignment, or deletion of assignment of data resources to a particular owner. This history 
data need only be updated when an owner is reassigned within an organization or data resources are 
added, deleted or reassigned within the organization. 

BitTCF i>Ksnm»noN of the PRA^^a^ 

25 The acconqjanying drawings, which are incorporated and constitute a part of the specification, 

illustrate preferred and alternative embodiments of flic present invention and. togcllier wife a general 
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description given above and the detailed description of the embodiments given below, serve to explain 
the iHinciples of the present invention. 

Fig. 1 is a depiction of the system of the present invention and exemplary data sources that may 

communicate with the system; 
5 Fig. 2 is a block diagram showing the relationship between data sources, data resources and 

network activity data for boili netwoik and voice data; 

Fig. 3 A is a depiction of cxcnq>lary data ouQjut by a PBX data source; 
Fig. 3B is exenq>lary output of a proxy server data source; 

Fig. 3C is a depiction of exemplary data records output by a difiBssrent version of the proxy 

10 server shown in Fig. 3B; 

Fig. 4 shows data resource communication activity data extracted fiom two different data 

resouices; 

Fig. 5 is a data flow process diagram of the data extractor shown in Fig. 1; 
Fig. 6 shows the join table relationship of the preferred embodiment of the present invention 
1 5 used to identify data resource ownership data; 

Fig. 7 shows exemplary table structures for oOTporate entity information; 

Fig. 8 shows exemplary data structote for join tables used to identify date resource ownership 

data; 

Fig. 9 shows an exemphny graphical user inteifece (GUI) for a directory interfecc to the report 

20 generator shown in Fig. 1 ; 

Fig. 10 shows an exemplary GUI for a reporting intcrfece of die report generator shown in Fig. 

1: 

Fig. 11 depicts in schematic form the relationdiip between organizatiwial component data 
tables, the associated join tables, and a row of a history table; 
25 Fig. 12 shows exemplary data structure of history data in the database of the present invention; 

Fig. 13 is a process flow diagram of the process for generating a standard report by system of 
the present invention; 

Fig. 14 is a process flow diagram of the reporting engine process flow for a single destination; 

-5- 
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Fig. 15 is a piocess flow digram for the process of the cepOTting engine for multiple 
destinations; and 

Fig. 16 is a piocess flow diagram for the reporting engine to identify an email breakout. 

n ^T-An Fn HKsrRiPT 'o^^J the invention 

5 A system and method operating in accordance with the principles of the present invention are 

shown in the network depicted in Fig. 1 . Data souices such as routers 12. web servers 16. firewall/proxy 
servers 20, PBXs 24. and calling card imports 28 are coupled to communication data manager 30. As 
shown in Fig. 1. data resources such as PCs 34 and telephones 38 are coupled through data sources 20 
and 24, respectively, to manager 30. PCs 34 are shown coupled together in a computer network and 

10 telephones 38 are shown coupled together in a telephone network. Manager 30 includes data extractor 
40. database 44. and communication activity report generator 48. As may be seen ftom Fig. 1. data 
sources 12. 16. 20. 24. and 28 may be directly coupled to manager 30 or they may be coupled together 
through a computer communication network such as a LAN or WAN. In either arrangement, network 
activity data for the telephone network and the computer network may be provided to manager 30 for 

IS processing. 

Manager 30 is preferably implemented as a computer program that may be executed on one or 
more computers. Preferably, the program is written in the C programming language and modules of the 
program are provided as components in a dynamic link Ubrary for execution on a computer. The 
computer that executes a program implementing manager 30 preferably operates under a Microsoft 

20 Windows NT 4.0 (Service Pack 4 or 5), Windows 95, or Windows 98 operating system and includes at 
least a Pentium 200 MHz processor and 128 MB of RAM. The video display is preferably of SVGA 
quaUty with a resolution of 800x600 pixels. The hard drive capacity is a fimction of the data sources 
coupled to the computer and preferably includes at least 130 MB of storage space plus an amount equal 
to one-half of flie largest file to be received from a data source plus at least IK of space for each voice 

25 data record to be received from a data source during data retrieval. 



-6- 



WO0(W21312 PCT/US99/22783 
The following definitions aie useful in understanding the detailed description and are set out 
below to facilitate the reader's understanding of the description, but not to limit the meaning of the 
disclosed terms to the definitions set forth below. 



5 nta Snyree 

A data source is a top level entity such as a PBX, fiiewall. proxy server, or router that is a 
source of network activity data regarding callAwce or intemet/networlc activity. 

naiaRcsoarce 

A data resource is a devi(» flat initiates calVvoice or intemetfeetwoik acti^ 
1 0 DBAs, calling card account numbers (or virtual extensions), network internet protocols (IPs), and User 
IDs are examples of such devices. If a data resource provides calVvoice or intemettoetwork activity 
data ftom the activity it initiates then the data resource may also be considered a data source. 

Network Activitv 

Network activity data is data regarding call/voice or internet/network activity managed by a 
15 data source. Such date are typicaUy logged to a log file as network activity data. Each data resource 
session or event managed by a data source generates activity that the data source may export to a log 
file as network activity. Network activity transmitted to the log file conttins date elements that identify 
the data resource that initiated flie netwok activity. Primary call/voice network activity data include 
extension, trunk, access code, directiiwi, session date/time, duration, and number dialed. 
20 fatemetAietwork activity date inchide IPAJser ID, protocol, direction, session date/time, volume, and 
originating/destination URL. Primary call/voice activity date and intcmettoetwork activity are 
collectively called network activity date herein. 

Company 

Company is the top level entity in an organization. 

25 Division 

A division is a second level entity in an organization. 

-7- 
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Department 

A department is a third level entity in an organization. 
Owner 

An owner is a fourth level entity in an organization, which represents people or miscellaneous 

5 entities that use data resources. While an owner is preferably an employee, it may be any organizational 
entity to which a data resource may be assigned. 

Fig. 2 shows the relationship between a data resource and a data source. As shown in that 
figure, data resources may use an identifier such as an IP address, a user identification number, a 
telephone extension, a calling card account number, or direct inward system access (DBA). These data 

10 resources generate network activity such as telephone calls, file transfer operations or queries for files. 
Network activity is typically managed by a data source such as a firewall, proxy server, web server, 
router. PBX or calling card import. These data sources generate network activity data that identify 
data resource that initiated network activity handled by the data source and the initiated network 
activity. This network activity data are typically provided by a data source to a log file. The log file 

15 may be stored in the data source, provided through an API to another application program for 
processing or storage purposes, or transmitted througji a hardware port on the data source, such as tiie 
serial data port of a PBX. Data extractor 40 of manager 30 includes the requisite hardware and/or 
software interfaces to communicate with these various APIs, hardware ports, or log file strucmres to 
receive data log records from data sources. As explained in more detail below, data source templates 

20 are used to identify data fields in log data generated by data sources and data resource templates are 
used to identify network activity data in log data. While log data are preferably obtained from data 
sources, some data resources may generate log data for network activity initiated firan the data r^urce. 
In this scenario, data resources and data sources are the same. 

Figs. 3A, 3B, and 3C depict various formats for difBerent data sources and veraions of data 

25 sources. For example. Fig. 3A shows call detail records generated by a particular type of PBX while the 
log data records as shown in Figs. 3B and 3C are generated by two different versions of a proxy server 
made by the same manufecturer. Thus, Figs. 3A, 3B, and 3C demonstrate the different formats for log 

-8- 
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data generated by different data sources and Figs. 3B and C, in particular, show that different versions 
of the same manufacturer's data sources also provide data in different formats. 

In order to accommodate the numerous formats of network activity data generated by various 
data sources, manager 30 includes data extractor 40. Data extractor 40 receives network data from data 
5 sources and extracts data from the network data for generation of data resource communication activity 
data. AdditionaUy. data extractor 40 preferably performs costing computations on die communication 
activity data and merges the cost data and communication activity data into database 44. 

Data extractor 40 is preferably comprised of five processing modules, namely, a control 
processing module, a reformatting module, a costing module, a merging module, and an alarm module. 
10 These modules are prefenibly implemented in program files in a dynamic link Ubnuy (^^ The 

functionality of these modules may briefly be described as: 

Control DLL 

This module controls the management of the input and output queues for the four other modules 
of data extractor 40. A control ttnead starts by retrieving communication activity data for a data source 
15 to be processed. Tl^n it initiates the Dlis for the other modules of data extractor 40. As network 
activity data are provided to the reformat module, the output queue of the modules of data extractor 40 
are monitored to facilitate the continuous flow of data between modules. 

Rrformat DLL 

This module contains the code used by the reformatting engine. It uses data source templates to 
20 extract data resource communication activity data from network activity data. The extracted 
communication activity data may titen be processed by the costing engine and alarm engines. This 
extraction is required because data sources generate network activity data in formats that are 
manufacturer and model ^>ecific. Data source templates aUow the refimnatting engine to map data 
from network activity data generated by different data sources to a standard format that may be 
25 processed by the costing and alarm engines. Though the control thread usuaUy handles how to pass on 
the data, tbs reformatting engine psnerates special detailed ou^t during test mode, and this test mode 
output is written to a text file for later viewing. A system admmistrator may view the text file to modify 

-9- 
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or create data source templates. Detailed output may also be generated when errors axe found in the 
network activity data. Fig. 4 depicts such e»mplary output records for communication activity data. 

Cost DLL 

This module contains the code used by the costing engine. This engine allocates a cost for 
5 network activity identified by data resource communication activity data. It implements costing 
methods set up for a data source to determine the coirect origination, destination, and cost of the activity 
identified by the data. TTus cost data generated by this module is incorporated in the special detail^ 
output records during operation of esdractor 40 in test mode so data source temphites may be configured 
to contain costing data. 

10 Marge DLL 

This module contains the code used by die merging engine. Because this operation is time 
intensive, itas module preferably does Uttle oAer than me^g records into Ae database. Its main 
operation is to enforce rules to protect the referential integrity of the activity data once stored in 
<^at ftb as«> 44. These rules ate discussed in more detail below. 

15 Alarm DLL 

This module contains the code used by the alann engine that compares data resource 
communication activity data to thresholds. For example, telephone calls to exotic locations or calls that 
exceed some time duration may cause the alarm engine to generate an electronic page or email message 
to alert a system administrator of communication activity that may constitute abuse. Alarm records may 
20 be generated and stored in database 44 if &e thresholds are exceeded. 

The flow of imcessing through these five modules of data extracU^ 40 is depicted in Fig- 5. 

i 

The processing of the reformat, costing, merging, and alarm modules is managed by the control module. 

As shown in the Fig., control module 50 retrieves network activity data firom the log data received firom 

various data sources and provides Ais data to reformatting module 54. Reformatting module 54 extracts 

25 communication activity data firom the network activity data. The communication activity data are then 

provided by control module 50 to costing module 58. Costing module 58 determines the correct 

origination, destination, and cost of the activity. The cost data are then incorporated in the 

-10- 
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, awmnunication activity data. Merging inodule 62 thea enforces the rules to protect to 

integrity of the communication activity data and preferably stores the communication activity data in 
database 44. The cost data are also provided to alarm processing module 66 where the communication 
activity data are compared to threshold values to determine whether any alann conditions exist. If 
5 alarm conditions are detected, messages regarding the alarm condition may be generated and deUvered. 
Also, alarm records may be generated for sttjrage in database 44. 

Preferably, reformatting module 54 and costing module 58 may operate in a test mode to 
generate data records that ate not stored in database 44 but rather displayed through report generator 48 
to a user, fa this manner, a user may verify Aat the data source templates used by reformat module 54 
10 and costing module 58 extract dl information lequwed for processing by manager 30. When data 
extractor 40 is in its operational mode, costing module 58 and reformat module 44 both provide 
communication activity data for storage in database 44. The exemplary data shown in Fig. 4 does not 
show aU data preferably stored by manager 30 in database 44. Otor data extracted by reformat module 

54 include incoming activity volume, outgoing activity vohnne, security statistics, and activity 
15 origination details. Once network data have been processed by data extractor 40 of manager 30. 
summary statistics may be generated before control module 50 terminates its processing. 

nataha se Design 

Preferably, database 44 is managed and structured to optimize the management and tracking 
function for the time-dependent relationships stored in database 44 and the reporting fimction for those 

20 relationships. Consequently, the database design is preferably divided into two parts, one part designed 
for data mana^ment and processing and Ae oth« part for data reporting. A directory interfece is 
included as part of the GUI of report genraator 48 to manage and process the time-dependent 
relationships between resources and flicir data sources whUe the reporting fimction uses a history table 
to wi a i pt atn hierarchical data for relevant time periods for the generation of repwts. 

25 The directory interfile preferably opastes on a relational database and ^neratcs join tables 

between two adjoining data tables for organizational structural components to track relationships 
between owners and data resources over time. The organizational structural components are sometimes 
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referred herein as entities. Hie hieraichical structure of entities associated with a data resource 
represents the owner of that resource. The reporting interfece. on the other hand, generates a history 
table to include all leveb of the organizational hierarchy and each row of the history table represents a 
snapshot of the hierarcl^ for a period of time. Hie reporting history table may also be generated fixnn 
5 the organizatioiud structural component records. 

As previously noted (Fig. 2) a static association exists between a data source (i.e., PBX. 
firewaU, proxy server, etc.) and the communication resources (IPs. extensions. DBAs, etc.) managed by 
it TTie activity generated by the resources also has the same static association with the data source 
1 0 through which die activity is managed. 

nAB^nrce and Own er Association 
Database 44 is able to track the association between a data resource and its owner. As noted 
above, an owner is identified by a hierarchical relationship of organizational structural components. 
This hierarchical structure links any organizational oitity or coii?)onent to a resource of any ^ This 
15 linkage enables manager 30 to manage time-dependent associations between any owner and any data 
resource as long as a link exists between die network activity data source and its owner. 

An owner and a data resource are prefierably associated witii a join table. Join tables link a 
child entity to one or many parent entities. Fig. 6 iUustiates how table joins may be used to identify a 
hierarchical relationship between a data resource and its owner. Each contains a reference or idmtifier 
20 of a parent in the parent table and an identifier to the child in die child table. In addition to the parent 
and child identifiers, association start and end date (termination date) stands are generated. The 
management of die start and oid dates provides a time-dependent association between each child and its 
parent. Tracking &e relationships between organizational structural compments and data resources is 
supported witii a history table. Fig. 7 depicts exemplary join table structures for identifying hierarchical 
25 relationships between adjoining company organirational conqwnents. 

The exetapisry data shown in the jom tables of Fig. 8 denumstrate how join tables may be used 
to track hierarchical data for a data resource in die following scenario. Far this scenario, IP resource 
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address 206.241.52.32 and telephone extension resource number 3897 are used. In this scenario, these 
data resources are owned by Richard Moon who joined the Sales Dq>artment on 01/02/1993. On 
09/15/1995 Richard Moon was transferred from the Sales Department to the Marketing Department 
Using join tables as shown in Fig, 8, manager 30 is able to track the employee's ownership of those two 
5 data resources for the time period of 01/02/1993 through 09/15/1995. The OPEN status shown in Fig. 8 
indicates the association is active. In addition, if Richard Moon was unable to retain ownership of 
extension 3897 during the transfer but was assigned telephone extension resource 4780, his ownership 
of extension 3897 would show termination on 09/14/1995 and his ownmhip of extension resource 4780 
would start on 09/15/1995. 

10 Database Log ic for Managing Resources 

Management of data resources during processing of network activity and processing initiated 
throu^ the GUI of report gmerator 48 requires manager 30 to enforce rules for the referential integrity 
of database 44. Implementation of the rules presented below during network activity data processing 
and GUI initiated processing allows users of manager 30 to inodify the hierarchical structure and 

15 resources assigmnents with an effective date that may be past or future. EflEective date is the start date 
that a child is assigned to a parent Rules listed below describe how historical data about relations 
between hierarchical entities, such as. Company, Division, Department, Owner and Resources are 
managed. 

Rulel 

20 No Child is permitted to be orphaned; it must always exist in a valid Child/Parent relationship, 

even if the Parent is the iUnassigned instance. The exception to this, of course, is the Company entity, 
assumed to be die highest level of the tree, and hence has no Parent. 

Rule 2 

Entities may be generated by a user through the GUI of report generator 48 by network activity 
25 data processing or by importing data to maimger 30. Manager 30 generates new data resources only 
when processing telephone activity or importing data from other versims of manager 30 or firewall 
databases. 
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Rule 3 

Every entity is assigned to some paroit on any date between Global Start and Global End. 
Global Start and Global End dates define the beginning and end of a time line for manager 30. If a 
parent is not provided, manager 30 uses the lUnassigned parent by default except for data resources. 
5 Networic activity processing generates defiault owners for each new data resource. These owners are 
assigned to the lUnassigned Department and the resource is assigned to the owner with a Defeult 
EfBective Date == Global Start, End « Global End. 

Rule 4 

Resources may be transferred to other owners including overhead accounts. Effective date of 
10 the transfer may be between Global Start and Global End. 

Rules 

Preferably, the lowest level of granularity for a transfer is one day, although other units of time 
may be enforced. 

Rule 6 

15 Transfer does not overwrite any transfers that happened after tiic transfer effective date, but if 

there was a transfer of the same child on the same day it may be overwritten. 

Transfer of any entity does not aflfect its relationship with its children or the relationships of the 
transfer target with its parent. 

20 Rules 

Entities other than Resources may be terminated. Resources may be unassigned from an owner. 

Rule 9 

If a Resource is imassigned it is moved to the Unassigned bin and assigned to its default owner 
under iUnassigned department Unassignment does not affect transfers with an effective date after the 
25 unassignment effective date. Unassignment may be undone. 
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Rule 10 

Termination may be undone. Tenoaination of an entity does not change the link between Aat 
entity and its children- Unks with chUdren remain unchanged. A user may expli^^^ 
children of an entity being terminated to other parent(s) before or aflcr the termination effective date. 

Rule 11 

If an entity othw than a Resource has never had children (fliere is no transfer record to Ais 
object in die database) it may be destroyed (removed from flie database). 

Example: An employee of the Marketing department, Richard Moon, assigned extension 
3780 was fired on January 15. The system administrator terminated the 
assignment of the extension to the Marketing department with an effective date 
of January 15. On January 20, extension 3780 was transferred to another 
employee. Bob Smith. Bob was in the Support Department before January 25. 
On January 25 Bob was transferred to the Marketing Department. 

All communications made from extension 3780 appear in the Directory GUI 
and Reports under 

before Jan 15 Marketing Department, Richard Moon 

from Jan 15 to Jan 19 Unassigned Department, Richard Moon (if 

processing encounters communications) 
from Jan 20 to Jan 24 Support Department, Bob Smith 

on or after Jan 25 Marketing Department, Bob Smitii 

All communications made from extension 3780 befi(« January 20 appear in tiie directory interface GUI 

and generated reports as being assigned to Richard Moon (even after Richards' termmation on January 

15, if xirocessing encountm communications). All communications made from extension 3780 on or 

after January 20 iqipear in the directory interfile GUI and g^erated reports as being assigned to new 

owner. Bob Smith. 

The rules discussed above are also used to implement operations performed by manager 30. A 
distinction is made between operations that affect the existence of an entity, and operations lhat affect 
the relationship between two entities. Opaations that affect the existence of an entity cither generate or 
destroy rows in the appropriate Conq)any, Division, Department, Owner, or Resource table. Operations 
that affect the relationship between two entities eifrier insert, update, or delete rows in the join tables 
between two entities, which would be the appropriate CompanyDivision, DivisionDepartmcnt, 
DepartmentOwner, or OwnerResource join table. Preferably, manager 30 implements the following 
operations: 
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Opferatiop - Transfer 

1. If effective date is not specified set effective date to Current Date 

2. Limitation rule for Effective date: Effective date may not be less than Global Start 
Date. Preferably, the Global Start Date is 01/01/1980 and the Global End Date is 

5 12/31/2089. 

3. Limitation rule for the undoing of Transfer operations (deleting transfer records) 
performed in fte past at least one transfer must stay in the system (otherwise the object 
becomes orphan). This does not mean ftat an object may not be deleted/destroyed (see 
deletion section below). 

10 Qngratlon > Termination 

Terminations are implemented as transfers to an Unassigned parent Display of content of the 

Unassigned grouping in a Directory may be enabled or disabled. This gives the user the ability to hide 
terminated objects from view through the directory interface GUI of report generator 48. keep historical 
data, have access to terminated olqects in the past before fli^ w«« terminate^ 

1 S restore an object. 

Operation ■ Deictlop 

Company, Division. Department, or Owner may be deleted if there is no join record that points 
to it at any time. Optionally, Company, Division, or Department may be deleted with children if no data 
resource points to any of the children as owners at any tune. This way communications data are not 
20 lost. 

Operation - Transfer Management 
Transfer ID.Child to ID^Parent on ECfDate 

If no transfer of the ID_Child exists // this should happen on creation only 
create one: from EfiDate to GlobalEnd belongs to ID_Parent 
25 lfEfiQDate<GlobalStart 

create one more: from GlobalStart to EfiEDate belongs to lUnassigned 

Else 

if there is transfer of the same child on the same day and parent != IDJPaient 
modify parent to ID_Parent and save 
30 else // insert transfer 

// there should be a record active on EffDate - the system needs to ^iit it 
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// if it does not exist it should be inserted 



5 




of transfer of the same child with StaitDate < EfBDate and EndDate >= 



Qpcratiop - nrfete Transfer 



10 



If there is previous transfer with EndDate = this transfer's StartDate - I day 
update previous transfer set EndDate = this transfer's EndDate 
delete this trahsfe 



else 

error 



//This prevents the manager from deleting the very first transfer 



15 




else 

If there is previous traiisferwithEndDate=thistnmsfer'sStaitD«^ 1 day 
if EffDatel > previous transfer StartDate and EfEDatel <= this Uansfer EndDate 
update previous transfer set EndDate = EfitDatel - 1 day 
iqxIatB this transfa set StaitiDate - Efi3>atel 

else 

// if this is not allowed 
error 

// if this means child really was transferred on the EfiDatel 
Delete this Transfer // aRjly DeleteTransfer Rule 
InserfTransfer IDjCaiild, ID.Parent, Effl>atel 



A piefctred hnplementation of the directory interfice of the report generator 48 is depicted m 
Fig. 9. The organizational and data views 100 and 104 available througji directory 108 rendar the 

35 integration of different data source types visible. In these views, the associations of extensions and 
authenticated IP addresses to an owner may be displayed. Directory 108 also includes controls for 
altering the time window for the display of an historical association. Resource ^rpes 1 10 may also be 
displayed and the FIND ftmction 114 supports quick access to specific critaia that a user may define. 
These defined criteria may be used to locate information and to set an effective date for the Directory. 

40 In to manner, managing and tracking oftiniedq)endent associations are sinq>Ufied. ManageoEusnt of 
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these assignments is simplified using a single GUI that also increases the productivity of system 
administrator. 

p<» pnrring Interface 

A preferred implementation of reporting interfece 1 16 of report generator 48 is depicted in Fig. 
10. Categories 118 ate designed to consoUdate voice and network activity while still providing for 
individual data source reporting, if necessary. lnterfiu«J 1 16 uses a history table because the preferred 
structure of database 44 discussed above for managing and tracking time^tependent relationships is not 
optimal for reporting against those relationships. A history table mcludes all levels of a hierarchical 
rehitionship and each row of this table represents a snapshot of the hierarchy for a period of time. 
Management of these assigmnents is simplified using a single GUI that also incnascs the productivi^ 
of system administrator. 



Using a history table, reporting interfiwe 1 16 may quickly access historical infimnation on any 
single data source or on multiple data sources of different data source types. The history table is only 

15 used by reporting interfece 116 and is not maintained directly by operations on the organizational 
sliucture. Operations affecting organizational structure may come fiom directory interfece 108, from 
processing network activity data, and from imports. Because the history table is not ke^ 
table needs to be completely rebuilt after any rule operation noted above occurs on the schema (changes 
that affect Company, Division, Department. Owner, or Resource). Fig. 11 depicts the relationship 

20 between organizational component data tables 120, the associated join tables 122, and a row 124 of a 
history table as preferably implemented. An exemplary segment of history table reflecting the Richard 
Moon scenario discussed above is shown in Fig. 12. 

Preferably, a stored procedure that rebuilds fee history table includes a database cursor. An SQL 
Query that feeds the cursor produces a join of all valid rows between CompanyDivision, 

25 DivisionDcpartmcnt, DepartmentOwner, and OwnerResource join tables. The cursor logic loops 
throu^ each of feese rows, and detenoaines the MAX of the start dates and fee MIN of fee end dates. 
This detCTmination defines the time segment for vAdch a row is a snapshot of the con?)lete organization 
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structure, was valid, ms infonnaticm is thim insate^ T^"** 
Hlstoiy table is built under the name "HistoryNeW. and when the new table is constructed, the cuntait 
"History" table is renamed "HistoryOld". and 'HistoiyNew" is renamed "History". 

The system prefiaably uses a "History Dirty" flag as a signal to the reporting 
5 history table needs to be rebuilt Ariy process that changes fee organizatiomd structure 

flag, but preferably does not reconstruct the history table. When the reporting interfiice executes, the 
flag is checked, and If true, the stored procedure to rebuild the table is executed. >yhile the stored 
procedure for history table t^uilding is executing, all other reporting intetfecc processes are suspended 
(blocked in a wait state) untflihe table is rebuilt After the table is reconstructed, fee flag is set to felse, 
10 and all ofeer reporting interface processes are miblocked. Since reporting interfece processes may run 
from several machines at the same time, the blocking mechanism is prefeiably done in fee database. 

RenortinP Process Flows 
To fiiciUtate the generation of reports and to more efficientiy distribute reports to recipients, fee 
system and method of the present mveation enables a user to define and store a report template that may 
15 be used later. Users may also limit fee result set obtained by a report template by using filters on 
individual data source elements. These filters enable reports to drill down into Die details and summary 
statistic on all data contained in database 44. 

A process for generating reports is shown in Fig. 13. That process begins by determining 
whether fee user wants to use a predefined system report template (block 200), a user report template 
20 that has been previously stored (block 204X or a category template (block 208). After a report template 
is selected, a report object is generated using the selected template. A report object is a container class 
that is used as an interfiice between reporting interfece 1 16 and report engine of communication activity 
report generator 48. Filters for the report object may then be selected. Hiese filters include a date filter 
(block 210), a numeric filter (block 214) or multiple selection criteria filter (block 218). Data defining 
25 the ctestination far the r^ort and its fonnat are then inccnpocated wifein fee report object (block 220). 
Format options for reports include Microsoft Word, Excel. HTML while destinations may include a 
display for a report preview, a disk file, printer, or an emaU address. If fee recipient is to receive fee 
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report via email thra destination infonnation and data regarding the email transfer are also incorporated 
in the object (block 222). Data for configuring the contents of the report including unique headings and 
currency formats may also be incorporated within the report object (blocks 228^30). Once the report 
object is completely generated, it is passed to report engine 46 of communication activity report 

S generator 48 for execution. 

The process for executing a report object for a single destination is shown in Fig. 14. Once the 
report object is generated and provided to report engine 46 (block 234), a print job is opened and this 
processing initializes import engine 46 (block 236). Using the filter data in the report object, nqjort 
engine 46 generates selection formulas (block 240). Preferably, selection filters are SQL statements or 

10 SQL stored procedures for querying database 44. The destination data of flie rqport object are then used 
to direct the result set of the selection formula (block 244) and the selection formula are executed. Once 
the report set is obtained, the system determines whetho* the user has requested a preview of the report 
(block 248). If a preview was requested, a preview window of tiie report is generated and displayed for 
the user (block 250). If the user decides to terminate flie report g^eration after viewing the preview 

15 (block 252), the print job is closed (block 254). If no preview is required or the report is to be sent 
following preview (block 256), the report is configured as required by the destination and format data- 
witiiin the report object depending upm whether the report is printed (block 258) or transmitted 
electronically (block 260). Once the repcnrt has been sent, the print job is closed (block 254). 

The process for generating and sending a report generated by a report object to multiple 

20 destinations is shown in Fig. 15. The process begins as described above with respect to Fig. 14 (blocks 
234-252). To avoid executing the selection formula multiple times for multiple destinations, a 
temporary file is opened (block 268) and the rqiort set obtained by operation of the selection formula on 
database 44 is directed to the temporary file (block 270). That file is then closed (block 274) and the 
exports of the report set are performed against this file. For each destination,- the temporary file is 

25 opened (block 276), the report set is configured with reference to the destination data (block 278), and 
the report is then sent to the destination (block 280). The teiiqH>rary file is then closed (block 282) and 
the process determines whether die report has been sent to all destinations defined in ttie report object 
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(block 284) and if not, the process continues by processing the tenqxiraiy file again (block 276). 

OAorwise, the piocess tenninates. 

The process for generating a report, separating it into sections, and sending each section of the 
report to a different destination by emaU is shown in Fig. 16. Hie process begins as described above 
5 with respect to Fig. 14 (blocks 234-252). This occurs, for example, when a report is sunnnaiized by 
department and each department section of the report is to be sent to a representative in each 
department. Preferably, this type of automatic separation of a report is provided by pre-configuring a 
report tcmptete to separate the report in conespondence with the organizational level at which the report 
is to be summarized. To separate the report, the process queries the organizational level that 
10 corresponds to the report breakout level group (block 300). The enuril address fiw each section of the 
report is tiien determined (block 304). A print job is then opened for the a destination (block 306) and a 
filter an>hed to the report set to remove data fliat does not correqwnd to the destination (block 308). 
The filtered data set is then configured and sent to tiie corresponding address (block 310). The print job 
is then closed (block 312). If report sections for other destinations remain (block 314), a new print job 
15 isopened(block306)andprocessingcQntinue8forthatreportsection(blocks306-312). Onceallofthe 

report sections have been sent, the process tenninates. 

While the prwent invention has been iUustrated by ti» description of tiie preferred and 
alternative embodiments and while the embodimeots have been described in considerable detail, it is not 
the intention of tiie applicants to restiict or anyway limit tiie scope of tiie appended claims to such 
20 detail. Additional advantages and modifications will readily appear to tiiose skilled in tiie art. The 
invention's broadw aspects are tiierefore not limited to tiie specific details, represented apparatiis and 
metiiod. an illustrative example shown and described. Accordingly, dq»artoires may be made ftwn such 
details witiiout departing from the spirit or scope of i^yplicant's g«ierai inventive concepts. 
What is claimed is: 
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CLAIMS 

1. A system for tracking ownership of the network activity of data resources comprising: 

a data extractor for extracting data resource communication activity data from a 
plurality of network activity data sources; 

a database of oi^anizational data resource ownership data; and 

a communication activity report generator for correlating extracted data resource 
communication activity data and organizational data resource ownership data so that ownership of 
communication activity may be tracked. 



2. The system of claim 1, said data extractor further conqirising: 

a reformatting module for converting network activity data to data resource 
conununication activity data. 



3, The system of claim 2, said data extractor further comprising: 

a costing module for computing costing data for data resource communication activity 

data; and 

a merging module for merging said costing data and said data resource communication 
activity data in a said database. 



4. The system of claim 3, said data extractor further comprising: 
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an alann module for coixq)aring said data resource communication activity data to 

thresholds. 



5. The system of claim 1, wherein said alarm module also generates alarm data in 
5 response to said data resource communication activity data exceedii^ said thresholds; and 

said merging module mexgcs said alarm data into said database. 



6. The system of claim 1 , said database further conq>rismg: 

organizational data tables for containing organizational conqxment data; and 

10 join tables for linking adjoming organizational data tables so that an owner of a data 

resource may be identified by said join tables. 

7. The system of claim 6, said database fiother comprising: 

a histoiy table for containing ownership data for a data resource for a specified time 

IS period. 



8. The ^tem of claim 1. said communication activity data report generator further 
conqirising: 

a directory interface for providing a view of organizational data stored in said database; 

20 and 

a reporting inter&ce for defining a report object to query said database. 
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9. The system of claim 8, wherein said m«ging module invlements rules for maintaining 
referential integrity of said data resource communication activity data stored in said database. 
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10. A method for tracking ownership of the network activity of data resources comprising: 

extracting data resource communication activity data from a plurality of network 
activity data sources; 

storing organizational data resource ownership data; and 

5 correlating extracted data resource communication activity data and organizational data 

resource ownership data so that ownership of communication activity may be tracked. 

1 1. The method of claim 10, said extraction further comprising: 

converting network activity data to data resource communication activity data. 



10 



12. The method of claim 1 1 , said extraction further comprising: 

computing costing data for data resource communication activity data; and 

merging said costing data and said data resource communication activity data in a 



database. 

15 



13. The method of claim 12, said extractim fiirther comprising: 
conq>aring said data resource communication activi^ data to thresholds. 

14. The method of claim 12, said comparison further comprising: 
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gencmting alarm data in response to said data resource communication activity data 
exceeding said thresholds; and 

merging said alarm data into said database. 

15. The method ofclaim 10, said storage furthCT comprising: 
storing df ganizational component data; and 

linking organizational component data to identify an owner of a data resource. 

16. The method of claim 15. said storage further conqprising: 

storing data to identify ownership data for a data resource for a ^ecified time period. 

17. The method of claim 10, furtho" conqirising: 

providing a view of organizational data stored in said database; and 
defining a report object to query said database. 



18. Themethodof claim 17, furtfier comprising: 

maintaining referential integrity of said data resource communication activity data 
stored in said database. 
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PBX - CAU DETAIL RECORD OUTPUT 
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PROXY SERVER - LOG OUTPUT - VERSION 1.0 
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